[cabfpub] Refinement of gTLD requirements
Rick_Andrews at symantec.com
Thu Jan 30 18:50:30 UTC 2014
Section 11.1.4 of the Baseline Requirements says "Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name."
We've been encountering several problems with this:
1) The main web page at www.icann.org<http://www.icann.org> doesn't list the publication of new contracts. It contains a link to "See which strings have been delegated", which takes you to a Delegated Strings page at http://newgtlds.icann.org/en/program-status/delegated-strings. That's not the same as publication of new contracts.
2) ICANN has a method for notifying everyone of new contract signings (see https://mm.icann.org/mailman/listinfo/gtldnotification), but we're finding that there is a time lag between the time the contract is signed (and the email is sent) and the time that the domain is delegated from the public DNS root. I checked with Francisco Arias from ICANN, who confirmed that "(delegation) depends in a number of factors and wouldn't happen until, at least, a few weeks after the contract is signed, in the best case scenario."
I believe that CA's cannot determine if the Subscriber is "either the Domain Name Registrant or can demonstrate control over the Domain Name" until the domain has been delegated.
Francisco also confirmed that there are a few ways to learn about the delegation of a new gTLD:
a) Checking the page http://newgtlds.icann.org/en/program-status/delegated-strings (updated within one day or two after the delegation happens)
b) Checking the page https://data.iana.org/TLD/tlds-alpha-by-domain.txt (updated automatically by IANA)
I'm thinking of creating a ballot to update Section 11.1.4 to say something like:
"Within 120 days after the delegation from the public DNS root for a new gTLD (as indicated by either one of the two URLs below), CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name.
I welcome your comments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public